Pleasure or pain? An evaluation of the costs and utilities of bloatware applications in android smartphones

摘要

We investigate the privacy, security, and trust issues of the Android bloatware applications and evaluate the claims regarding their utility and the coverage of the functional needs of different end-user market segments. We analyze 17,179 bloatware applications, extracted from the firmware of 100 Android smartphones manufactured by nine leading original equipment manufacturers (OEMs), and conduct an online user study to validate the utility and coverage claims. We find an average of 172 bloatware applications in the firmware of examined smartphones. We discover that most of the bloatware applications can access sensitive data and critical device features in smartphones and perform critical functions. Their nature and abilities due to the use of Dangerous, Custom, and Signature Android Permissions can make privacy protection a complex task for the smartphone users, introduce trust issues, and expand the attack surface in the smartphones. We also provide a non-exhaustive set of examples of bloatware applications from smartphones of all nine brands that violate trust. Coming to their utilities, findings of our online user study involving 180 participants suggest that while most of the respondents agree that bloatware applications are useful to some extent, 39% of the respondents use 0-5 bloatware applications. An additional 35% of respondents use 6-10 bloatware applications. We also find that for their diverse functional needs, users depend more on applications acquired from different application markets. The results of our research suggest that while the pains of the bloatware applications are real, the claims regarding their pleasures need further investigation. We urge that the number and abilities of smartphone bloatware applications need to be constrained proportionally to their practical utilities for their users, and they must conform to security and privacy requirements for trustworthy systems.